Method for authentication

Abstract

A method for authentication of a first party, A, to a second party, B, by a trusted third party, C, is disclosed. A is registered at C, and the method comprises the steps of receiving a identification data of A from A; determining, based on the identification data, if A has the right to request a random private key, RPK; and generating a temporary RPK. Further, C combines the RPK and a random open key, ROK, to form a single use temporary master authentication code; transmits the RPK to A; and, upon receipt of the RPK and the ROK from B, determines if the received RPK and ROK matches a valid single use temporary master authentication code; and authenticates, in case of match, A to B. The first party, A, may be any handheld device, such as a mobile phone, or a PDA, or a stationary device, such as a stationary computer or an ATM. The communication between the parties may be wired or wireless. A corresponding system is also disclosed.

Description

TECHNICAL FIELD[0001]The present invention relates to a method for authentication of a first party to a second party, by a trusted third party. The present invention also relates to a corresponding system.BACKGROUND OF THE INVENTION[0002]Methods for identification of one party to another party that are communicating via electronic media are widely used. Examples of applications where identification of the user is needed are withdrawing from an ATM, controlling a remote computer over the internet, using an internet banking system, performing a payment transaction when webshopping, etc. Several well known principles exist within this field of technology.[0003]Conventionally authentication has been performed via user name and password, offering a relatively low security. For a higher security the so called two factor authentication has been used, meaning that a combination of for example something the user knows and something the user has, such as a PIN and a bank card, are needed for ...

AI Technical Summary

Benefits of technology

[0024]Thus, an advantage of the present invention is that the first party may be unknown to the second party, since the authentication process is performed via the trusted third party. Further, an advantage is that the first party does not need to transfer any ID to the second party. However, the first party also communicates directly with the second party, which feels more natural and is more effective than if all communication would pass a trusted third party. The direct communication between the first party and the second party makes the method of the present invention suitable for usage in for example stores.

[0025]The random private key is provided to the first party from the trusted third party, and preferably only immediately before the intended use, which has the advantage that the user does not have to remember the code or keep it stored anywhere. Accordingly, it is easy to use the method of the present invention, and the user friendliness is therefore high. The code neither being stored by the first party, nor revealing the identity of the first party also contribute to make the method secure.

[0026]The above-discussed use of the random open key and the random private key to form a single use temporary master authentication code makes it possible to have a very limited information transfer between the first and second party. In some realizations, it suffices that the random private key is transferred from the first party to the second party, thus avoiding the need to transfer ID information and the like. An advantage of the present invention is that the first party does not need to transmit its identification data to the second party, since the random private key in combination with the random open key carries the identity of the first party.

[0027]Preferably, the random private key comprises a sequence of alphabetic and / or numeric characters. The random private key itself does not have to be unique, but forms a unique temporary master authentication code in combination with the random open key.

[0028]The random open key preferably comprises a sequence of numeric and / or alphabetic characters. The random open key may further be divided into segments, wherein one of the different segments may be random while the other segments may define for example some of, but not limited to, the type of transaction requested, the identity of the trusted third party, or a geographical location, such as a region. The length of the random open key may be configurable depending on the application where it is used, so that the length is increased when higher security levels are needed.

[0029]Accordingly, the single use temporary master authentication code being a combination of the random private key and the random open key, forms a code which cannot in itself be related to a specific party, which further increases the security. The code may be completely random or, alternatively, be created by means of an algorithm. The code is preferably unique, at least during its expiration time. As an example, a random open key may have a length of 6 characters from 0 to 9, and the two first positions may be dedicated to define e.g. usage region and type of usage, and consequently in this example there remains 4 characters which could be random and create up to 10000 different values. If the random private key contains 7 characters A-Z and 0-9 and the complete key is random, the total number of random private keys comprises about 78 billion available combinations. In a single use temporary master authentication code the total number of available combinations for a specific region and service could therefore in this example be about 8*10̂14.

Problems solved by technology

Although providing a method with a higher security than conventional methods, a problem with the method disclosed in WO2006075917 is that the entire code is created in the user device, by means of an algorithm which is based upon a user personal code, a user device ID and if necessary a service provider code, to be compared to a corresponding code at the service provider, meaning that the entire code exists in its complete form, and is stored in both the user device and the service provider, which reduces the security.

Another problem with the method disclosed in WO2006075917 is that the code can be associated to a certain user.

Further, several of the conventional methods for identification are only adapted for remote communication between two parties, such as the method disclosed in WO0235487, which limits the range of use considerably.

Common problems of conventional methods for authentication are that they are often complicated to use and / or do not provide a high enough security level.

Yet another problem with the methods used today is that the predictability often is high.

Images